Most U.S. Firms ‘Not Ready’ for Data Privacy Rules

European Union flags at the entrance of the European Commission building in Brussels.
Photo:
GERARD CERLES/AGENCE FRANCE-PRESSE/GETTY IMAGES

Most U.S. firms are unsure about the impact on their business of stricter data privacy rules in Europe, set to go into force in less than a month, CompTIA reports.

Just one in four business executives with some level of data responsibility surveyed at U.S.-based organizations said they were “very familiar” with the General Data Protection Regulation, or GDPR, the European Union’s new rules aimed at protecting user-data privacy rights, the IT trade group said this week. The survey was conducted online earlier this month.

The rest were uncertain about the scope of the new rules, which go into effect May 25, or mistakenly thought they applied only to European firms or large multinational corporations.

Some falsely believed they had until the end of the year to comply and others were unaware of hefty fines facing businesses that violate the regulations, which can run as high as €20 million or four percent of a company’s annual revenue.

“Confusion about the regulations remains a significant problem,” Todd Thibodeaux, the group’s president and chief executive officer, said in a statement.

He added that companies subject to the regulations are “running a huge financial risk” by failing to get a compliance plan in place by next month’s deadline.

The results are based on responses by officials at 400 small, medium and large firms, defined as those with more than 500 employees. Regardless of size, all of the companies surveyed collected at least some data from European customers or users, a CompTIA spokesman said.

Roughly half said they were still reviewing the rules and had yet to determine the impact, or believed the rules would not apply to their operations.

All told, only 13% said they were fully compliant with GDPR, while another 23% said they were “mostly compliant” and 12% were “somewhat compliant.”

Less than one quarter of firms surveyed said they had developed a compliance plan or conducted data audits and readiness assessments that included reviews of existing data privacy policies, terms of service and consent protocols, the survey found.

Rohan Kumar, Microsoft Corp.’s corporate vice president of Azure Data, told CIO Journal last week that Azure, the tech giant’s cloud division, has an entire team dedicated to gauging the impact of GDPR security and compliance issues on its corporate customers throughout the world.

With the compliance deadline looming, Mr. Rohan said many of the chief information officers that he meets with at U.S. firms are sharpening their focus on data privacy, as regulations at home and abroad are likely to “get more and more strict,” he said.